Balancing Enterprise Risk Management and Enterprise Performance Management
Poorly planned and executed risk management capabilities contributed to the recent economic collapse, and they are likewise impeding the recovery as companies have shifted from taking too many risks to taking too few. This paper, authored by Mark Foster, Daniel T. London, and Eva Dewor, discusses how effective risk management requires finding the balance between prevention and value generation. This balance can be achieved by integrating enterprise risk management with enterprise performance management so that the risk and performance parts of an organization work together towards a common goal.
How and Why Risk Management Processes Failed
There are several factors that contributed to the recent widespread failure of risk management systems. One factor was the complexity and speed of the 2008 market collapse, which outpaced companies’ abilities to keep up from a risk management standpoint. Another contributing factor was the fragmented, incomplete information most companies received, limiting the ability to adequately identify and mitigate risks in a timely manner. Non-integrated ERM capabilities also contributed as only 8% of organizations in a recent Accenture survey reported having centralized, fully integrated risk management capabilities used across the enterprise. This lack of integration leads to redundancy and increased costs in a time when budgets are tightening.
Inadequate enterprise performance management capabilities also contributed to risk management system failures. Only 20% of respondents to an Accenture study described their enterprise performance management capabilities as “advanced”, meaning many companies cannot adequately focus their risk management activities to drive better business performance. The dominance of a compliance mindset is another contributing factor as a compliance focus tends to drive a reactive rather than a proactive risk management culture. An ERM study by Accenture supports the dominance of this mindset as the study found that 72% of responding executives thought the risk management function had a major impact on compliance with regulations, with fewer (53%) believing risk management had a major impact on competitive advantage, reputation in public and media, or enabling profitability growth. Finally, inadequate governance structures and risk cultures contributed as even when data were available there was often a lack of governance and escalation processes to translate the data into action.
A New Approach to Risk Management
Risk management challenges facing companies are very broad and there are several steps companies can take to develop a more effective approach to risk management.
Taking a more comprehensive view
Risk management solutions need to pervade the operating model of the business to adequately protect and advance companies. Effective ERM offers a holistic view of the enterprise and considers the two sides of any risk management activity: the control-based loss prevention and risk mitigation aspect and the strategic and entrepreneurial aspect that focuses on evaluating risk to pursue business advantages. IT architecture is a constraint for many companies as only 23% of respondents to an ERM survey by Accenture report having fully integrated IT architectures to help manage risk. However, an integrated ERM approach is something companies should strive for as an Accenture survey indicates companies that have successfully integrated ERM are significantly more likely to be satisfied or very satisfied with their company’s overall management of financial and non-financial risks (79%) than laggards (33%).
Achieving better focus and specificity
Companies need transparency in their portfolio so there is sufficient specificity available to provide actionable information. By using diverse and sophisticated key performance indicators and risk-adjusted performance measures, companies can link their decision-making to value creation. Also, by embedding risk management in the organization’s structures, roles, and accountabilities, monitoring systems and dashboards are at the necessary level of specificity for action to be taken.
Providing better data
Data quality is also important to an effective risk management system as companies need the right information at the right time and level of granularity to assess risks and take action. Accenture uses a Continuous Controls Monitoring technique, which uses IT to mine companies’ transactional data to assess risks and provide business insights. This system improves overall risk management capabilities by monitoring all transactional data rather than just a small sample.
Creating a more effective risk management culture
Risk management needs to have a prominent place in the overall corporate agenda and be reinforced regularly to have sufficient power to drive the organization. Risk management should be supported by a chief risk officer who is an empowered member of the executive team. An integrated risk culture will enable companies to assess risks and identify those for which controlling and mitigating actions are most warranted. Companies should also recalibrate incentive structures to ensure rewards encourage behaviors that create long-term shareholder value rather than focusing on the short term. Embedding these processes in an organization will enable companies to more consistently and effectively implement their chosen level of risk tolerance across the enterprise.
Click to download the full report.
Citation: Foster, Mark. “Constructive Tension” Outlook. June, 2009.